More Articles

The Dispatch E-Edition

All current subscribers have full access to Digital D, which includes the E-Edition and
unlimited premium content on Dispatch.com, BuckeyeXtra.com, BlueJacketsXtra.com and
DispatchPolitics.com.
Subscribe
today!

The data breach at Target Corp. over the holiday shopping season was far bigger than initially
thought, the company said yesterday, as state prosecutors announced a nationwide probe.

Target said an investigation has found that the hackers stole the personal information of at
least 70 million customers, including names, mailing addresses, telephone numbers and email
addresses. Previously, the No.3 U.S. retailer said the hackers stole data from 40 million credit
and debit cards.

The two sets of numbers likely contained some overlap, but the extent was not clear, said
Target spokeswoman Molly Snyder. She also noted that some of the victims shopped at Target stores
outside of the previously announced period of the breach, Nov. 27 to Dec. 15.

In a statement yesterday, Target Chief Executive Gregg Steinhafel said, “I know that it is
frustrating for our guests to learn that this information was taken, and we are truly sorry they
are having to endure this.”

Attorneys general from New York, Connecticut, Massachusetts and Minnesota said they were
joining a nationwide probe into the security breach.

“A breach of this magnitude is extremely disconcerting,” said Massachusetts Attorney General
Martha Coakley.

A source familiar with the joint probe said more than 30 states were involved. Attorney
General Mike DeWine said Ohio is not part of the probe, but his office is looking into the matter.

Security experts said the stolen payment-card data could be used to fabricate false
magnetic-strip credit cards. And the personal information could be sold on underground exchanges
for use in email “phishing” campaigns, aimed at persuading victims to hand over even more sensitive
information, such as bank-account numbers.

“I think they still have no idea how big this is,” said David Kennedy, a former U.S. Marine
Corps cyberintelligence analyst who runs his own consulting firm, TrustedSec LLC.

Fraud reports growing

Reports of fraudulent card charges have been growing since the Target breach was disclosed,
said an executive at one major card issuer who asked not to be identified.

The full magnitude of the damage will not likely be known until later in January, when
customers examine their monthly statements and call their banks, the executive said. He added that,
in past cases, it has taken 30 to 45 days for the vast majority of bad charges to surface.

Target and credit-card issuers have said customers will have zero liability for any
fraudulent charges.

But that doesn’t mean the breach won’t cause headaches.

Colleen McCarthy, 26, of Cleveland, received a call Monday night from Chase, alerting her
that someone tried to use her debit account twice in Michigan. The thief

cleared $150. Chase restored the money to her account, but not fast enough.

“This has been a nightmare,” she said. “My rent check bounced. My debit card had to be
canceled. And who’s to say what other people have access to my information?”

McCarthy used her Chase debit card at a local Target on the Friday after Thanksgiving and
received an alert from Chase a few days after news of the breach broke. The letter identified her
as a potential victim of the Target breach but said, “Don’t worry.”

She’s now avoiding shopping at Target.

Harlan Loeb, global chairman of the crisis and risk-management practice at Edelman, said
Target should have been more proactive in communicating with its customers.

“The one thing that should be part of any crisis plan is the specter that you might have to
be in communication with hundreds of thousands of customers instantly,” Loeb said.

According to a Reuters/Ipsos poll, 40 percent of people who shopped at Target during the
period of the data breach had not been notified about the incident. Thirty-one percent said they
had been notified by Target; 28 percent said they had been notified by their bank or credit-card
company.

Total cost unknown

Fallout from Target’s pre-Christmas security breach is likely to affect the company’s sales
and profits well into 2014.

Yesterday, Target cut its fourth-quarter adjusted earnings forecast for U.S. operations to
between $1.20 and $1.30 per share, from $1.50 to $1.60. The Minneapolis-based company also forecast
a